DATA SECURITY

Security Skills Shortage, Or Training Failure?

Most IT security groups are short-handed and can't find good people to hire, research says. But the real issue may be failure to invest in training new and current personnel.

11 Security Sights Seen Only At Black Hat

(click image for larger view and for slideshow)

Almost two-thirds of businesses say their information security departments are understaffed, and 51% say they can't find people with the required security skills.

Those findings come from a new Forrester Consulting report, "Security Intelligence Can Deliver Value Beyond Expectations And Needs To Be Prioritized," that was commissioned by IBM Global Technology Services. To make its point, the report largely references a Forrester Research survey of 2,400 executives and technology decision-makers at North American and European businesses, conducted more than a year ago.

According to the report, 53% of businesses say they can't find enough suitable employees to run in-house security intelligence programs. It describes security intelligence as "the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise."

Not coincidentally, the report notes that security intelligence programs can be largely automated, thus eliminating the need for so many warm bodies. Cue complementary findings, such as one chart titled: "security intelligence as a service overcomes all challenges to deliver amazing value," which is sourced to a May 2012 survey of "75 North American, U.K., and Indian IT security enterprise decision-makers."

Stepping back for a minute, whose fault is it that businesses, by their own admission, are facing a supposed talent shortage? Writing last year in The Wall Street Journal, human resources expert Peter Cappelli at the University of Pennsylvania's Wharton School lambasted business executives who said they didn't have sufficient access to talented personnel, when the very same people too often budgeted nothing for training, for either existing personnel or new hires, thus trapping their potential workforce in a Catch-22 situation. "One can't get work experience in school, and that's where training comes in," he said.

Likewise, in response to an InformationWeek column earlier this year that analyzed the supposed IT skills shortage, former hiring managers shared tales of "corporate cheapskates" who pursue the low-cost option at any cost, and failed to reinvest in their workforce, and then complained that they don't have enough fully trained--by others--personnel at their immediate disposal. "The moral compass is busted," said one Oracle/JDE consultant, noting that the days of many businesses investing in their employee's personal development appeared to be long gone.

In other words: Stop complaining about the skills shortage, and do something about it, both through training, as well as by working with local colleges and placement programs. "To get America's job engine revving again, companies need to stop pinning so much of the blame on our nation's education system," Cappelli said. "They need to drop the idea of finding perfect candidates and look for people who could do the job with a bit of training and practice."

Without a doubt, creating a top-notch information security program will demand investment, not least in training. And according to the Forrester survey, the information security risks that businesses must mitigate are very real: 72% of businesses said they're battling escalating and ever-evolving threats, 75% said knowing which threat to prioritize is a struggle, and 68% said that preventive measures are going by the wayside, owing to workload.

Given the escalating threat level, a recent study from IBM found--unsurprisingly--that chief information security officers (CISOs) are facing greater board-room pressure to improve their businesses' information security programs. Obviously, doing so will require spending money, and preferably to avoiding breaches, rather than simply to respond to them. "We know that it's much more expensive to implement your security controls afterwards," said Luba Cherbakov, a VP at IBM Security Services, speaking by phone.

For businesses that lack even a CISO, help is to hand--again, for a price. Multiple consulting companies, including CSC and IBM, offer
placeholder CISO programs that can immediately put a temporary security executive in place, and then help the business build up their program and hire a suitable CISO replacement.

Beyond hiring a good CISO and investing in training for frontline security personnel, the information security calculus also requires knowing when it's best to outsource. Top candidates, according to Forrester, include outsourcing for email hygiene purposes (42% of respondents say they do this), firewall management (33%), vulnerability management (23%), and access management (22%).

Furthermore, many of these types of services work best when they tap into a bigger-picture view, either via the aforementioned type of threat or security intelligence feed, or simply handing specific functions off entirely to a managed services provider. Cherbakov, for example, said that IBM's managed service program processes over 15 billion potential security events per day, drawing information from over 3,700 clients. Having that volume of data to analyze makes it easier to spot many types of online threats and attacks.

In other words, when it comes to addressing information security challenges, help is to hand. So rather than whining about a skills shortage, businesses need to hire a great CISO, train personnel to handle the latest threats, outsource when it makes economic sense, and keep the budget flowing. If your business isn't helping to employ and train the next generation of information-security professionals, then it's part of the security problem.

Cloud services can play a role in any BC/DR plan. Yet just 23% of 414 business technology pros responding to our 2011 Business Continuity/Disaster Recovery Survey use services as part of their application and data resiliency strategies, even though half (correctly) say it would reduce overall recovery times. Our The Cloud's Role In BC/DR report shows how the combination of cloud backup and IaaS offerings can be a beneficial part of a "DR 2.0" plan. (Free registration required.)

White Papers

Reports

Comments

emb0@aol.com

User Rank: Apprentice

Tue, 08/21/2012 - 16:24

re: Security Skills Shortage, Or Training Failure?

I've read much of Dr. Cappelli's research based views and he's spot on. He lists many other practices that led to so-called skilled worker shortages but lack of corporate training programs is among the primary causes. I appreciate that you've noticed and connected it to the security field.

Corporations and government agencies like to complain that they "simply cannot find" trained employees.... for the most obscure, one-off, non standard software suites. There is not training for these products other than on the job training. No colleges are going to teach these skills. Freelancers would never pay for the training themselves because there is no market for it.

What the Corp's are really complaining about is that they don't want to pay a living wage for anyone to learn the skills that are required.

It's naive to think that attending a few training classes will make you an expert - it won't. Training provides foundational knowledge which in turn needs to be applied and practiced in a real world setting. There also has to be some genuine desire on the part of the employee to learn. Formal classroom instruction during working hours is one option, but it's expensive and requires time away from work. Self-study is another option that is cheaper and, in my opinion, far more effective in the long run. Since the demand for IT Security professionals will continue unabated for the foreseeable future, it makes sense for anyone who is looking to advance in their careers to take charge of their destiny and acquire the necessary knowledge and skills on their own. Waiting for the corporate suits/skirts to invest in you is simply not going to happen. The added bonus is that once you acquire these new skills, you will be positioned to jump ship once a better gig comes along.

I think one of the issues that you have to look at here is - what happens when an organization pays for an employee to get trained in a specific skill or software package and then said employee suddenly finds themselves a lot more marketable and worth more, although the organization is not willing to increase their compensation?

Organizations are worried about their training dollars walking out the door. Employees don't have the spare time or money to obtain training on their own and there's no impetus for them to learn something new if they're not going to be compensated for it.

Boils down to organizations wanting something for nothing and individuals wanting compensation for doing something.

With security skill sets (and threats) evolving continually, there has to be a happy medium found in order to keep security professionals current - otherwise you end up with folks with outdated skills, folks with classroom experience but no real-world experience or folks who happen to land a position because they're a friend/relative of a C-level exec. In any of the three cases, the organization is at risk - how much risk depends a lot on the organization, obviously.

The board room needs to ask itself, is the amount of risk that we're willing to incur by not keeping our security team modernized on par with the cost of the training to keep them current and the compensation to keep them with the organization?

All these companies and people running them make broad statements that tell only half truths. The statement "We can't find the people with the skills" is really "We can't find the people with the skills AT THE PRICE WE WANT TO PAY". Its supply and demand and if the industry up's the wages as they have for CEO and other executives its a safe bet to say the void will be filled albeit with a bit of lag time for experience to build. The Numbnuts at CNN and CNBC air this weekly letting "guest experts" away with the "half truth" statement.